Google Chrome Has a Bug That Could Let Anyone Eavesdrop on You

Voice control is an awesomely futuristic way to control your technology like a spaceman, but only if you can trust it. So you might want to stay tight-lipped around Chrome; Google's browser has a dangerous security flaw that can let malicious sites eavesdrop on your every word.

Discovered by web developer and Gizmodo reader Tal Ater, the bug in question is simple when exploited. All a malicious site has to do is get you to enable voice control for any legitimate purpose—maybe you want to dictate some text to a webapp, or record some noise for whatever reason—and it can potentially access your computer's mic long after you've navigated away.

All it needs to do is shoot out a pop-under window disguised as an ordinary ad, or something similarly innocuous, to keep your microphone hot. As long as it remains open, every noise you make will be sent back to Google through Chrome, and then on to the snoopers for whatever purpose they see fit. And there's no way for you to tell that the site you visited 20 minutes ago is still up to no good.

The dirty trick actually requires the use of a number of exploits, but the big one is that in Chrome, only full-on tabs indicate that they're listening in via your microphone. Smaller banner windows can continue to listen without showing anything at all. Tal reached out to Google with the bugs months ago, and Google confirmed to him that they were security flaws. But four months later, a fix still hasn't been pushed live to users. As of this morning, it seems the bug is still out there.

The good news is that you need to initiate Chrome's voice recognition in the first place for this to work. Until a fix comes, you can protect yourself by just never talking to Chrome, or only activating your microphone on trusted sites. Still, the existence of flaws like this (that aren't promptly sewn up) makes it a little harder to be excited about the Star Trek future an always-on microphone can enable, and makes it easier to be creeped out that Google and god-knows-who-else could be listening to talk to yourself at three in the morning.

You can read about the bug in nitty gritty detail over at Tal's website or check out the exploit code on GitHub. We've reached out to Google and will update if and when we hear back.